Update LOCALIZING.md

Added a section on handling updates for translations.
Enable GitHub private security issue reporting and update policies (#653 )
2026-04-09 18:57:22 +02:00 · 2025-09-01 18:54:16 -07:00 · 2025-09-02 01:46:06 +00:00 · 2025-09-01 02:41:47 +00:00
10 changed files with 42 additions and 168 deletions
--- a/LOCALIZING.md
+++ b/LOCALIZING.md
@@ -18,7 +18,7 @@ Open [Sources/Secretive.xcodeproj](Sources/Secretive.xcodeproj) in Xcode.

 ### Translate

-Navigate to [Secretive/Localizable](Sources/Secretive/Localizable.xcstrings). 
+Navigate to [Sources/Packages/Localizable.xcstrings](Sources/Packages/Localizable.xcstrings). 

 <img src="/.github/readme/localize_sidebar.png" alt="Screenshot of Xcode navigating to the Localizable file" width="300">

@@ -32,6 +32,12 @@ Start translating! You'll see a list of english phrases, and a space to add a tr

 Push your changes and open a pull request. 

+### Handling Updates
+
+When your translation is merged, I'll invite you to the [secretive-localizers](https://github.com/secretive-localizers) group. I'll tag this group anytime there's a new set of strings, in the hopes that you'll update the translation. If you don't want to be notified, feel free to decline the invitation or leave the organization at any time.
+
 ### Questions

 Please open an issue if you have a question about translating the app. I'm more than happy to clarify any terms that are ambiguous or confusing. Thanks for contributing!
+
+
--- a/README.md
+++ b/README.md
@@ -61,4 +61,4 @@ Because secrets in the Secure Enclave are not exportable, they are not able to b

 ## Security

-If you discover any vulnerabilities in this project, please notify [max.goedjen@gmail.com](mailto:max.goedjen@gmail.com) with the subject containing "SECRETIVE SECURITY."
+Secretive's security policy is detailed in [SECURITY.md](SECURITY.md). To report security issues, please use [GitHub's private reporting feature.](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -24,4 +24,4 @@ The latest version on the [Releases page](https://github.com/maxgoedjen/secretiv

 ## Reporting a Vulnerability

-If you discover any vulnerabilities in this project, please notify max.goedjen@gmail.com with the subject containing "SECRETIVE SECURITY."
+To report security issues, please use [GitHub's private reporting feature.](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@@ -43,7 +43,7 @@ extension Agent {
        }
        let requestTypeInt = data[4]
        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
-            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription) for unknown request type \(requestTypeInt)")
+            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
            return SSHAgent.ResponseType.agentFailure.data.lengthAndData
        }
        logger.debug("Agent handling request of type \(requestType.debugDescription)")
@@ -66,25 +66,10 @@ extension Agent {
                response.append(SSHAgent.ResponseType.agentSignResponse.data)
                response.append(try await sign(data: data, provenance: provenance))
                logger.debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
-            case .protocolExtension:
-                response.append(SSHAgent.ResponseType.agentExtensionResponse.data)
-                try await handleExtension(data)
-            default:
-                let reader = OpenSSHReader(data: data)
-                while true {
-                    do {
-                        let payloadHash = try reader.readNextChunk()
-                        print(String(String(decoding: payloadHash, as: UTF8.self)))
-                        print(payloadHash)
-                    } catch {
-                        break
-                    }
-                }
-                logger.debug("Agent received valid request of type \(requestType.debugDescription), but not currently supported.")
-                response.append(SSHAgent.ResponseType.agentFailure.data)
            }
        } catch {
-            response = SSHAgent.ResponseType.agentFailure.data
+            response.removeAll()
+            response.append(SSHAgent.ResponseType.agentFailure.data)
            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
        }
        return response.lengthAndData
@@ -92,28 +77,6 @@ extension Agent {

 }

-// PROTOCOL EXTENSIONS
-extension Agent {
-
-    func handleExtension(_ data: Data) async throws {
-        let reader = OpenSSHReader(data: data)
-        guard try reader.readNextChunkAsString() == "session-bind@openssh.com" else { throw UnsupportedExtensionError() }
-        let hostKey = try reader.readNextChunk()
-        let keyReader = OpenSSHReader(data: hostKey)
-        _ = try keyReader.readNextChunkAsString() // Key Type
-        let keyData = try keyReader.readNextChunk()
-        let sessionID = try reader.readNextChunk()
-        let signatureData = try reader.readNextChunk()
-        let forwarding = try reader.readNextBytes(as: Bool.self)
-        let signatureReader = OpenSSHSignatureReader()
-        guard try signatureReader.verify(signatureData, for: sessionID, with: keyData) else { throw SignatureVerificationFailedError() }
-        print("Fowarding: \(forwarding)")
-    }
-
-    struct UnsupportedExtensionError: Error {}
-    struct SignatureVerificationFailedError: Error {}
-}
-
 extension Agent {

    /// Lists the identities available for signing operations
@@ -149,7 +112,7 @@ extension Agent {
    /// - Returns: An OpenSSH formatted Data payload containing the signed data response.
    func sign(data: Data, provenance: SigningRequestProvenance) async throws -> Data {
        let reader = OpenSSHReader(data: data)
-        let payloadHash = try reader.readNextChunk()
+        let payloadHash = reader.readNextChunk()
        let hash: Data

        // Check if hash is actually an openssh certificate and reconstruct the public key if it is
@@ -166,7 +129,7 @@ extension Agent {

        try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)

-        let dataToSign = try reader.readNextChunk()
+        let dataToSign = reader.readNextChunk()
        let rawRepresentation = try await store.sign(data: dataToSign, with: secret, for: provenance)
        let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)

--- a/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
@@ -10,32 +10,13 @@ extension SSHAgent {

        case requestIdentities = 11
        case signRequest = 13
-        case addIdentity = 17
-        case removeIdentity = 18
-        case removeAllIdentities = 19
-        case addIDConstrained = 25
-        case addSmartcardKey = 20
-        case removeSmartcardKey = 21
-        case lock = 22
-        case unlock = 23
-        case addSmartcardKeyConstrained = 26
-        case protocolExtension = 27
-

        public var debugDescription: String {
            switch self {
-            case .requestIdentities: "SSH_AGENTC_REQUEST_IDENTITIES"
-            case .signRequest: "SSH_AGENTC_SIGN_REQUEST"
-            case .addIdentity: "SSH_AGENTC_ADD_IDENTITY"
-            case .removeIdentity: "SSH_AGENTC_REMOVE_IDENTITY"
-            case .removeAllIdentities: "SSH_AGENTC_REMOVE_ALL_IDENTITIES"
-            case .addIDConstrained: "SSH_AGENTC_ADD_ID_CONSTRAINED"
-            case .addSmartcardKey: "SSH_AGENTC_ADD_SMARTCARD_KEY"
-            case .removeSmartcardKey: "SSH_AGENTC_REMOVE_SMARTCARD_KEY"
-            case .lock: "SSH_AGENTC_LOCK"
-            case .unlock: "SSH_AGENTC_UNLOCK"
-            case .addSmartcardKeyConstrained: "SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED"
-            case .protocolExtension: "SSH_AGENTC_EXTENSION"
+            case .requestIdentities:
+                return "RequestIdentities"
+            case .signRequest:
+                return "SignRequest"
            }
        }
    }
@@ -47,17 +28,17 @@ extension SSHAgent {
        case agentSuccess = 6
        case agentIdentitiesAnswer = 12
        case agentSignResponse = 14
-        case agentExtensionFailure = 28
-        case agentExtensionResponse = 29

        public var debugDescription: String {
            switch self {
-            case .agentFailure: "SSH_AGENT_FAILURE"
-            case .agentSuccess: "SSH_AGENT_SUCCESS"
-            case .agentIdentitiesAnswer: "SSH_AGENT_IDENTITIES_ANSWER"
-            case .agentSignResponse: "SSH_AGENT_SIGN_RESPONSE"
-            case .agentExtensionFailure: "SSH_AGENT_EXTENSION_FAILURE"
-            case .agentExtensionResponse: "SSH_AGENT_EXTENSION_RESPONSE"
+            case .agentFailure:
+                return "AgentFailure"
+            case .agentSuccess:
+                return "AgentSuccess"
+            case .agentIdentitiesAnswer:
+                return "AgentIdentitiesAnswer"
+            case .agentSignResponse:
+                return "AgentSignResponse"
            }
        }
    }
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHCertificateHandler.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHCertificateHandler.swift
@@ -30,24 +30,20 @@ public actor OpenSSHCertificateHandler: Sendable {
    /// - Returns: A ``Data`` object containing the public key in OpenSSH wire format if the ``Data`` is an OpenSSH certificate hash, otherwise nil.
    public func publicKeyHash(from hash: Data) -> Data? {
        let reader = OpenSSHReader(data: hash)
-        do {
-            let certType = String(decoding: try reader.readNextChunk(), as: UTF8.self)
-            switch certType {
-            case "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-                "ecdsa-sha2-nistp384-cert-v01@openssh.com",
-                "ecdsa-sha2-nistp521-cert-v01@openssh.com":
-                _ = try reader.readNextChunk() // nonce
-                let curveIdentifier = try reader.readNextChunk()
-                let publicKey = try reader.readNextChunk()
+        let certType = String(decoding: reader.readNextChunk(), as: UTF8.self)
+        switch certType {
+        case "ecdsa-sha2-nistp256-cert-v01@openssh.com",
+            "ecdsa-sha2-nistp384-cert-v01@openssh.com",
+            "ecdsa-sha2-nistp521-cert-v01@openssh.com":
+            _ = reader.readNextChunk() // nonce
+            let curveIdentifier = reader.readNextChunk()
+            let publicKey = reader.readNextChunk()

-                let openSSHIdentifier = certType.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
-                return openSSHIdentifier.lengthAndData +
-                curveIdentifier.lengthAndData +
-                publicKey.lengthAndData
-            default:
-                return nil
-            }
-        } catch {
+            let openSSHIdentifier = certType.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
+            return openSSHIdentifier.lengthAndData +
+            curveIdentifier.lengthAndData +
+            publicKey.lengthAndData
+        default:
            return nil
        }
    }
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHPublicKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHPublicKeyWriter.swift
@@ -97,7 +97,7 @@ extension OpenSSHPublicKeyWriter {

 extension OpenSSHPublicKeyWriter {

-    func rsaPublicKeyBlob<SecretType: Secret>(secret: SecretType) -> Data {
+    public func rsaPublicKeyBlob<SecretType: Secret>(secret: SecretType) -> Data {
        // Cheap way to pull out e and n as defined in https://datatracker.ietf.org/doc/html/rfc4253
        // Keychain stores it as a thin ASN.1 wrapper with this format:
        // [4 byte prefix][2 byte prefix][n][2 byte prefix][e]
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
@@ -13,8 +13,7 @@ public final class OpenSSHReader {

    /// Reads the next chunk of data from the playload.
    /// - Returns: The next chunk of data.
-    public func readNextChunk() throws -> Data {
-        guard remaining.count > UInt32.bitWidth/8 else { throw EndOfData() }
+    public func readNextChunk() -> Data {
        let lengthRange = 0..<(UInt32.bitWidth/8)
        let lengthChunk = remaining[lengthRange]
        remaining.removeSubrange(lengthRange)
@@ -26,18 +25,4 @@ public final class OpenSSHReader {
        return ret
    }

-    public func readNextBytes<T>(as: T.Type) throws -> T {
-        let lengthRange = 0..<MemoryLayout<T>.size
-        let lengthChunk = remaining[lengthRange]
-        remaining.removeSubrange(lengthRange)
-        return lengthChunk.bytes.unsafeLoad(as: T.self)
-    }
-
-
-    public func readNextChunkAsString() throws -> String {
-        try String(decoding: readNextChunk(), as: UTF8.self)
-    }
-
-    public struct EndOfData: Error {}
-
 }
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHSignatureReader.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHSignatureReader.swift
@@ -1,57 +0,0 @@
-import Foundation
-import CryptoKit
-import Security
-
-/// Reads OpenSSH representations of Secrets.
-public struct OpenSSHSignatureReader: Sendable {
-
-    /// Initializes the reader.
-    public init() {
-    }
-
-    public func verify(_ signatureData: Data, for signedData: Data, with publicKey: Data) throws -> Bool {
-        let reader = OpenSSHReader(data: signatureData)
-        let signatureType = try reader.readNextChunkAsString()
-        let signatureData = try reader.readNextChunk()
-        switch signatureType {
-        case "ssh-rsa":
-            let attributes = KeychainDictionary([
-                kSecAttrKeyType: kSecAttrKeyTypeRSA,
-                kSecAttrKeySizeInBits: 2048,
-                kSecAttrKeyClass: kSecAttrKeyClassPublic
-            ])
-            var verifyError: SecurityError?
-            let untyped: CFTypeRef? = SecKeyCreateWithData(publicKey as CFData, attributes, &verifyError)
-            guard let untypedSafe = untyped else {
-                throw KeychainError(statusCode: errSecSuccess)
-            }
-            let key = untypedSafe as! SecKey
-            return SecKeyVerifySignature(key, .rsaSignatureMessagePKCS1v15SHA512, signedData as CFData, signatureData as CFData, nil)
-        case "ecdsa-sha2-nistp256":
-            return try P256.Signing.PublicKey(rawRepresentation: publicKey).isValidSignature(.init(rawRepresentation: signatureData), for: signedData)
-        case "ecdsa-sha2-nistp384":
-            return try P384.Signing.PublicKey(rawRepresentation: publicKey).isValidSignature(.init(rawRepresentation: signatureData), for: signedData)
-        case "ecdsa-sha2-nistp521":
-            return try P521.Signing.PublicKey(rawRepresentation: publicKey).isValidSignature(.init(rawRepresentation: signatureData), for: signedData)
-        case "ssh-ed25519":
-            return try Curve25519.Signing.PublicKey(rawRepresentation: publicKey).isValidSignature(signatureData, for: signedData)
-        case "ssh-mldsa-65":
-            if #available(macOS 26.0, *) {
-                return try MLDSA65.PublicKey(rawRepresentation: publicKey).isValidSignature(signatureData, for: signedData)
-            } else {
-                throw UnsupportedSignatureType()
-            }
-        case "ssh-mldsa-87":
-            if #available(macOS 26.0, *) {
-                return try MLDSA87.PublicKey(rawRepresentation: publicKey).isValidSignature(signatureData, for: signedData)
-            } else {
-                throw UnsupportedSignatureType()
-            }
-        default:
-            throw UnsupportedSignatureType()
-        }
-    }
-
-    public struct UnsupportedSignatureType: Error {}
-
-}
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
@@ -112,7 +112,7 @@ extension SecureEnclave {
            var accessError: SecurityError?
            let flags: SecAccessControlCreateFlags = switch attributes.authentication {
            case .notRequired:
-                []
+                [.privateKeyUsage]
            case .presenceRequired:
                [.userPresence, .privateKeyUsage]
            case .biometryCurrent:
Author	SHA1	Message	Date
Max Goedjen	abf5c26d58	Update LOCALIZING.md Added a section on handling updates for translations.	2025-09-01 18:54:16 -07:00
Max Goedjen	6dc93806a8	Enable GitHub private security issue reporting and update policies (#653 ) * Revise security vulnerability reporting process Updated security reporting instructions in README.md. * Change vulnerability reporting email to GitHub feature Updated the vulnerability reporting method to use GitHub's private reporting feature.	2025-09-02 01:46:06 +00:00
Max Goedjen	99a6d48e53	Specify private key usage explicitly (#652 )	2025-09-01 02:41:47 +00:00